Programming Tips - How do I prevent SQL injection attacks when using Perl's DBI

Date: 2008jan11 Keywords: mysql, postgresql Language: perl Q. How do I prevent SQL injection attacks when using Perl's DBI A. Use the quote() method. Like this:
use DB; use strict; sub unsafe($$) { my($dbh, $name) = @_; my($sql, $sth); $sql = qq(SELECT * FROM customers WHERE name = '$name'); $sth = $dbh->prepare($sql); # ... } sub safe($$) { my($dbh, $name) = @_; my($sql, $sth); $name = $dbh->quote($name); # Safely add quotes $sql = qq(SELECT * FROM customers WHERE name = $name); $sth = $dbh->prepare($sql); # ... }
Besides preventing an injection attack it, more mundanely, permits single quotes in strings. Eg name = O'Hara. Related http://www.davekb.com/search.php?target=perl+DBI http://www.davekb.com/search.php?target=mysql